Loading ...

Play interactive tourEdit tour

Analysis Report 9644a199_by_Libranalysis

Overview

General Information

Sample Name:9644a199_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:399523
MD5:9644a199c0d74c2f223b042b93899333
SHA1:00a0778246cd4e4df046ea7c3ccdb5d04f056a19
SHA256:0b10841226c0d6fb59f308c09309e79d214ca6799ac162c1addd5455d7ef3fd7
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 9644a199_by_Libranalysis.exe (PID: 5876 cmdline: 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe' MD5: 9644A199C0D74C2F223B042B93899333)
    • schtasks.exe (PID: 5364 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "peter.terkper@gh-wilmar-intl.comqwert2829@email.gous2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.9644a199_by_Libranalysis.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.9644a199_by_Libranalysis.exe.3478240.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.9644a199_by_Libranalysis.exe.3478240.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe, ParentProcessId: 5876, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp', ProcessId: 5364

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "peter.terkper@gh-wilmar-intl.comqwert2829@email.gous2.smtp.mailhostbox.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exeReversingLabs: Detection: 25%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 9644a199_by_Libranalysis.exeReversingLabs: Detection: 25%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: 9644a199_by_Libranalysis.exeJoe Sandbox ML: detected
                  Source: 6.2.9644a199_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_070ADA78
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_070ADD90

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49738 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.3:49738 -> 208.91.199.225:587
                  Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                  Source: global trafficTCP traffic: 192.168.2.3:49738 -> 208.91.199.225:587
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://SSIeJj.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.219365504.0000000005425000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249393872.00000000023D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.492162365.00000000030AC000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: 9644a199_by_Libranalysis.exeString found in binary or memory: http://web.archive.org/web/20150218144800/http://faculty.darden.virginia.edu/conroyb/derivatives/Bin
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.227116873.0000000005455000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.226832646.0000000005455000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256390682.0000000005420000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceta
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.219513718.000000000543B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comQ
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$8
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221414928.0000000005427000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.8
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221800913.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnV
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.221186396.000000000542E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.230877212.0000000005439000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000003.229851180.0000000005428000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.w5
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000001.00000003.218984783.0000000005423000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.256788856.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: 9644a199_by_Libranalysis.exeString found in binary or memory: https://github.com/gh28942
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://pszp7LGnmpscRH9.o
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://pszp7LGnmpscRH9.org
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.254296394.00000000033D9000.00000004.00000001.sdmp, 9644a199_by_Libranalysis.exe, 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.490261636.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_00B0C2B01_2_00B0C2B0
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_00B099981_2_00B09998
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070AA6801_2_070AA680
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070AA0181_2_070AA018
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070ACC781_2_070ACC78
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A99201_2_070A9920
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A577F1_2_070A577F
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A57901_2_070A5790
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A06781_2_070A0678
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A06881_2_070A0688
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070AE5901_2_070AE590
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A43881_2_070A4388
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A026A1_2_070A026A
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A02781_2_070A0278
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A52B81_2_070A52B8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A52C81_2_070A52C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A11851_2_070A1185
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A11981_2_070A1198
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A00401_2_070A0040
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A60781_2_070A6078
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A60C81_2_070A60C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_070A498D1_2_070A498D
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00BC5EA06_2_00BC5EA0
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00BCC1B86_2_00BCC1B8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00BC71306_2_00BC7130
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_014246A06_2_014246A0
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_014245B06_2_014245B0
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_0142DA006_2_0142DA00
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_06016C706_2_06016C70
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_060194F86_2_060194F8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_060175406_2_06017540
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_060169286_2_06016928
                  Source: 9644a199_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.260145490.0000000006FD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.245884260.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249393872.00000000023D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVBfgoJBIDAvgwQVPyHeYxZlKqgNIVZusxmAYQv.exe4 vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.262232027.000000000CFA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.262232027.000000000CFA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.259159909.0000000006550000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.261360003.000000000CEA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000005.00000002.243799710.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.497643580.0000000006660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.484600154.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVBfgoJBIDAvgwQVPyHeYxZlKqgNIVZusxmAYQv.exe4 vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.485268572.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exe, 00000006.00000002.486087626.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exeBinary or memory string: OriginalFilenameWeakReference.exeJ vs 9644a199_by_Libranalysis.exe
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: lklQGPQqWZ.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@1/1
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile created: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\tmp78E2.tmpJump to behavior
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: 9644a199_by_Libranalysis.exe, 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                  Source: 9644a199_by_Libranalysis.exeReversingLabs: Detection: 25%
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile read: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe 'C:\Users\user\Desktop\9644a199_by_Libranalysis.exe'
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exe
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exeJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\9644a199_by_Libranalysis.exe C:\Users\user\Desktop\9644a199_by_Libranalysis.exeJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 9644a199_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_000A52AF push es; iretd 1_2_000A52C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_000A527F push es; iretd 1_2_000A52C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 1_2_000AB93F push edi; ret 1_2_000AB940
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 5_2_0015527F push es; iretd 5_2_001552C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 5_2_0015B93F push edi; ret 5_2_0015B940
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 5_2_001552AF push es; iretd 5_2_001552C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00A452AF push es; iretd 6_2_00A452C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00A4527F push es; iretd 6_2_00A452C8
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_00A4B93F push edi; ret 6_2_00A4B940
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeCode function: 6_2_0601EE8A push esp; ret 6_2_0601EED1
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.81806704366
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.81806704366
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeFile created: C:\Users\user\AppData\Roaming\lklQGPQqWZ.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lklQGPQqWZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp78E2.tmp'

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Moves itself to temp directoryShow sources
                  Source: c:\users\user\desktop\9644a199_by_libranalysis.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG256.tmpJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.249843749.0000000002424000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 9644a199_by_Libranalysis.exe PID: 5876, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\9644a199_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAd